SitePoint Sponsor

User Tag List

Page 1 of 2 12 LastLast
Results 1 to 25 of 35
  1. #1
    Hibernator YuriKolovsky's Avatar
    Join Date
    Nov 2007
    Location
    Malaga, Spain
    Posts
    1,072
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)

    Running PHP as "someome" on a linux server

    ok, so i encountered a problem about a year ago, and im still unable to resolve it.

    im using php5 on a linux server
    and i use php to upload images to folders on the server.

    the way i manage to do this, is by setting the destination folder's permission level to 777, anything other than this simply does not work for me.
    the php scrips runs under the username of "nobody", same as anyone else who is unknown...

    how can i have a php script run under a different username on the linux server, or better yet:

    how can i upload images using php without giving absolutely everyone access to that upload folder?

  2. #2
    SitePoint Member
    Join Date
    Oct 2008
    Posts
    13
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Definitely you need suphp:

    http://www.suphp.org

  3. #3
    Hibernator YuriKolovsky's Avatar
    Join Date
    Nov 2007
    Location
    Malaga, Spain
    Posts
    1,072
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    that is very usefull
    but as im a complete server related questions retard i cant figure out how to install it, and what it is?

    i downloaded and extracted suphp-0.7.1
    i found a extensionless installation file that features the following:
    The suPHP Apache module together with suPHP itself provides an easy way to
    run PHP scripts with different users on the same server.

    It provides security, because the PHP scripts are not run with the rights of
    the webserver's user.
    In addition to that you probably won't have to use PHP's "safe mode", which
    applies many restrictions on the scripts.

    Please note that the suPHP binary has to be installed setuid-root to work,
    so a security bug in suPHP probably will allow atackers to run commands with
    root privileges. Although I currently don't know any bug in suPHP I can't
    guarantee that there aren't any.

    2. Installation

    Run ./configure with the appropriate paramters for your system.

    On most systems a
    ./configure --prefix=/usr
    will suffice.

    The configure script can take the familar GNU autoconf arguments plus the
    following suPHP specific ones:

    --disable-checkpath: With this compile time option suPHP does not check,
    whether a script (or a symink to it)is inside the
    DOCUMENT_ROOT. You may want to activate this option
    if you are working with "Alias"-directives.

    --disable-checkuid: You may specify this option to make suPHP work with
    scripts whose UIDs are not listed in /etc/passwd.

    --disable-checkgid: You may specify this option to make suPHP work with
    scripts whose GIDs are not listed in /etc/group.

    --with-apxs=FILE: Path to "apxs" of your Apache installation. If not
    specified, configure will look for apxs in your PATH.
    Without apxs the Apache module mod_suphp will not be
    built. It will not be built either, if your Apache has
    been compiled without DSO support. Please make sure you
    specify the right path to apxs, because suPHP will use
    apxs to check whether to build mod_suphp for Apache 1
    or Apache 2.

    --with-min-uid=UID: The minium UID that suPHP will allow PHP to run scripts
    with (defaults to 100).

    --with-min-gid=GID: The minium GID that suPHP will allow PHP to run scripts
    with (defaults to 100).

    --with-apache-user=USERNAME:
    Username (not UID) Apache is running as (defaults to
    wwwrun).

    --with-logfile=FILE Path to the suPHP logfile (defaults to
    /var/log/httpd/suphp_log).

    --with-setid-mode=MODE:
    MODE has to be one of:
    "owner": Run scripts with owner UID/GID
    "force": Run scripts with UID/GID specified in Apache
    configuration
    "paranoid": Run scripts with owner UID/GID but also check
    if they match the UID/GID specified in the
    Apache configuration
    The default is "paranoid" mode.
    You should *NEVER* use "force" mode as it is very
    dangerous.
    While "owner" mode is not as dangerous as "force" mode
    its use is disadvised and "paranoid" mode should be
    preferred.

    Now compile suPHP using "make" and if no error occured install it using
    "make install". Be sure to be root, when you try to install it.

    If your Apache is running with DSO support and "apxs" was found during the
    build process, you are done. Otherwise you have to rebuilt your Apache
    server with "mod_suphp.c" included. If you used another prefix during the
    suPHP build than "/usr", you have to modify "mod_suphp.c" to set the path to
    the suPHP executable (which you can find in $exec_prefix/sbin/suphp).

    Details on how to compile your Apache webserver with mod_suphp can be found
    in apache/INSTALL.

    Now, you have to modify your "httpd.conf" to activate suPHP for specific
    VHosts. See apache/CONFIG for details on this.

    Please note that in order to make suPHP work, you have to specify at least
    one handler in the suPHP configuration file. Read CONFIG for additonal
    information about how to configure suPHP.
    it says
    On most systems a
    ./configure --prefix=/usr
    will suffice.

    where do i run this?
    is there a run command thing on the server somewhere (im using plesk if it helps)


    also i dont want this to be live until i understand it, i have a local apache server on my pc, how can i install suPHP on my localhost?

    thanks in advance

  4. #4
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Can you log into SSH? If you can, navigate to this directory (cd /full/path/to/the/directory/) and type ./configure --prefix=/usr
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  5. #5
    Hibernator YuriKolovsky's Avatar
    Join Date
    Nov 2007
    Location
    Malaga, Spain
    Posts
    1,072
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    after reading what SSH is, and how it works, i can say that i dont think i have SSH
    my personal stuff is hosted on a shared server...so i doubt i can install anything there.
    my localhost apache server that is on my pc is running on windows xp, so there is no point in suPHP here.

    can i use SSH with a shared host normally?
    i insert the ftp host/password in PuTTY for example?

    please bear with me, as this is the area im really weak in.

    edit:
    i just read that suPHP has to run on the CGI version of PHP, i think i know how to do this on the shared server (for testing purposes)
    but is there no way to have suPHP running on PHP as a module?
    and with all these complications, im starting to think, isn't there any easier alternative to suPHP?

    arkinstall
    Can you log into SSH? If you can, navigate to this directory (cd /full/path/to/the/directory/) and type ./configure --prefix=/usr
    i don't know

    do i insert the (cd /full/path/to/the/directory/) in a program? or a cmd window?

  6. #6
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Well, in a bash shell terminal, which you won't be able to access without SSH.
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  7. #7
    Hibernator YuriKolovsky's Avatar
    Join Date
    Nov 2007
    Location
    Malaga, Spain
    Posts
    1,072
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    oh i have to run that on linux!
    i don't have linux on my pc.
    so how does one run commands on a distant linux host (server)?

    edit:
    do i use a SSH based program to connect to the distant linux server?

  8. #8
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Yep
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  9. #9
    Hibernator YuriKolovsky's Avatar
    Join Date
    Nov 2007
    Location
    Malaga, Spain
    Posts
    1,072
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    just asked my hosting provider
    he said, no, you don't have SSH access.

    basically this probably means im screwed in terms of "that" specific hosting...

    now im moving to a different host xD
    (that does support SSH)


    edit:
    ill get that other service relatively later.
    so for now im still interested if there are any other ways of running php on apache under a specific user.

  10. #10
    SitePoint Zealot
    Join Date
    Oct 2008
    Posts
    167
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You will want to find a webhost that runs PHP with suPHP. You won't be able to compile and install suphp if you are not the administrator of the server (have root access to the server).

    suPHP will run your PHP scripts as your account's username. You won't be able to specifiy what user the scripts run as, but they will always run as your account's username.

    That is, if your account username is yuri then your PHP scripts will be able to read and write to files and folders that are owned by the yuri user. This will alleviate the need for open directories (directories with permissions of 777).
    CanisHosting - Web Hosting plans starting at $3.95 per month

  11. #11
    PHP Guru lampcms.com's Avatar
    Join Date
    Jan 2009
    Posts
    921
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    First of all, you are wrong in assuming that account 'nobody' means "same as anyone else who is unknown"
    The 'nobody' is an actual account on the server and is usually used ONLY by the apache server.
    It's completely normal to have apache run under 'nobody'

    the fact that you dont have ssh account is a different story. It means that you cannot do any of the more advanced configurations on your server, which is not really a big loss in your case since you most likely dont have a root access and will not be able to set the more secure permissions on your uploads folder anyway.

  12. #12
    Hibernator YuriKolovsky's Avatar
    Join Date
    Nov 2007
    Location
    Malaga, Spain
    Posts
    1,072
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    sparek
    You will want to find a webhost that runs PHP with suPHP. You won't be able to compile and install suphp if you are not the administrator of the server (have root access to the server).

    suPHP will run your PHP scripts as your account's username. You won't be able to specifiy what user the scripts run as, but they will always run as your account's username.

    That is, if your account username is yuri then your PHP scripts will be able to read and write to files and folders that are owned by the yuri user. This will alleviate the need for open directories (directories with permissions of 777).
    very interesting.
    ill try to get my hands on a SSH enabled host, because i doubt ill find any good Spanish hosts with suphp xD
    additionally im reading about suEXEC right now, all too new for me...

    Sharedlog.com
    you most likely dont have a root access and will not be able to set the more secure permissions on your uploads folder anyway.
    what do you mean? im perfectly capable of changing the permission levels of the upload folders?

    'nobody' means "same as anyone else who is unknown"
    i was assuming this because i thought anyone can run as 'nobody' or 'apache'
    (I mean wouldn't it be more secure to run php under a different name from the default name? :P)

    so can i add 'nobody' to the owners group on the linux server?
    so that i could work with permission levels of 775 on the upload folder? instead of 777?

    edit:
    @arkinstall
    what program do you use to execute batch commands on a remote linux server?

  13. #13
    PHP Guru lampcms.com's Avatar
    Join Date
    Jan 2009
    Posts
    921
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You are changing permissions probably by using the ftp client.
    It's ok, but it's not the same as using the shell.
    If you are on a shared server, then it probably runs apache in a special way so that other users dont have access to each-other's directories. Honestly, I forgot what this is called since I have not used a shared server in almost 10 years.

    I think its called suexec. It makes it more secure for you, so you don't have to worry about other users reading files from your directories by using cgi or php scripts.

  14. #14
    Hibernator YuriKolovsky's Avatar
    Join Date
    Nov 2007
    Location
    Malaga, Spain
    Posts
    1,072
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Sharedlog.com
    You are changing permissions probably by using the ftp client.
    true
    Sharedlog.com
    If you are on a shared server, then it probably runs apache in a special way so that other users dont have access to each-other's directories. Honestly, I forgot what this is called since I have not used a shared server in almost 10 years.

    I think its called suexec. It makes it more secure for you, so you don't have to worry about other users reading files from your directories by using cgi or php scripts.
    hahaha
    that is an awesome explanation!
    now "finally" i understand why there is no way of achieving this on a shared server.


    so now i have to ask, how could i potentially achieve this on a shared server?
    and my other question i already asked, can i add "nobody" to the owners list, so that the php script can operate with a upload folder of 775 permission instead of a folder of 777 permission.

    or am i hopelessly stuck with this 777 folder?
    (i mean on the shared server)

    edit:
    i actually have a clients website on a dedicated host.
    so ill try to run suexec or suPHP to see if i can get that to work...

  15. #15
    PHP Guru lampcms.com's Avatar
    Join Date
    Jan 2009
    Posts
    921
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    In order to change ownership of directory you need to have shell access and be the current owner of that directory or a root user.
    YOu cannot change ownership with just an ftp client

  16. #16
    Hibernator YuriKolovsky's Avatar
    Join Date
    Nov 2007
    Location
    Malaga, Spain
    Posts
    1,072
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Sharedlog.com
    In order to change ownership of directory you need to have shell access and be the current owner of that directory or a root user.
    YOu cannot change ownership with just an ftp client
    i understand.

    i dont think this can be done through the server web administration...

    basically now i know what i have to do.
    i have to get shell access to a server that supports SSH.

  17. #17
    SitePoint Zealot
    Join Date
    Oct 2008
    Posts
    167
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You really need to look for a webhost that uses suphp. Shell access is not going to help you. Unless I'm not understanding what you are wanting to do.

    You are wanting to allow a PHP script to upload files into a folder on your account without having to change the permissions on that upload folder to 777. Is that correct?

    suPHP is what you want for that. Having shell access isn't going to help you with anything involved with this.
    CanisHosting - Web Hosting plans starting at $3.95 per month

  18. #18
    Hibernator YuriKolovsky's Avatar
    Join Date
    Nov 2007
    Location
    Malaga, Spain
    Posts
    1,072
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    You are wanting to allow a PHP script to upload files into a folder on your account without having to change the permissions on that upload folder to 777. Is that correct?
    yes

    i just thought that with shell access ill be able to install suPHP...

  19. #19
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    You would.

    The question is, is it worth changing hosts and probably ending up paying more for one of the probably many solutions to this?

    Can you please explain what you need to protect the folder from? Other users on the server?

    If you simply don't want people to see it through http (their browser), you can simply have a .htaccess file inside that directory with the following:
    Code:
    deny from all
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  20. #20
    Hibernator YuriKolovsky's Avatar
    Join Date
    Nov 2007
    Location
    Malaga, Spain
    Posts
    1,072
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    arkinstall
    The question is, is it worth changing hosts and probably ending up paying more for one of the probably many solutions to this?
    i would love to know all the solutions to this first.

    Can you please explain what you need to protect the folder from? Other users on the server?
    to my (crappy) understanding 777 means that anyone can "write" to that folder, for example using javascirpt a person somewhere could write a harmful file to that folder?

    if this is not the case, and this folder is only available to me and the php script (including if it has 777 permission) then why do so many forums and people say its a bad idea to have a folder with permission levels of 777?

    If you simply don't want people to see it through http (their browser), you can simply have a .htaccess file inside that directory with the following:
    i do want people to have access to read, but not write to that folder.
    only my php script is supposed to have rights to write to that folder.

  21. #21
    SitePoint Zealot
    Join Date
    Oct 2008
    Posts
    167
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by YuriKolovsky View Post
    i just thought that with shell access ill be able to install suPHP...
    You will have to have root access on the server to install suPHP. If you are just a shared hosting user, then your host won't give you root access to the server.

    If you are talking about your own dedicated server, then you should have shell access to that server. Unless you purchased the dedicated server from a company that provides fully managed services, and even some of those company will give you root access.

    Quote Originally Posted by YuriKolovsky View Post
    to my (crappy) understanding 777 means that anyone can "write" to that folder, for example using javascirpt a person somewhere could write a harmful file to that folder?

    if this is not the case, and this folder is only available to me and the php script (including if it has 777 permission) then why do so many forums and people say its a bad idea to have a folder with permission levels of 777?
    Open files and folders means that anyone that has an account on the same server as you would have access to write files or information into those files and folders.

    On a shared hosting server, the server is only as secure as the least secure account on the server. This means that if a user on the server is running old versions of phpBB, Wordpress, etc. then their account can become hacked and if you have open files and folders on your account, then malicious users can then write to these files and folders from the hacked account on the server. So having open files and folders, even if your account stays up-to-date and secure, means that users can still write to these folders.

    This doesn't even have to happen when another account's script is compromised. Another account on the server could still have access to your open files and folders.

    Someone with an account on the server or through a compromised script on the server, could write a spam script into one of your open directories, and then access the script from your account and send out spam. It then looks as if your account is sending it out spam.

    However, again, if this is a dedicated server, if your account is the old account on the server, then open directories should be fine. Remember, security of a server is only as good as the least secure account on the server. If your account (or accounts that you administrate) is the only account on the server, then the server is as secure as your account is. Having open files and open directories has virtually no consequences because you do not have to worry about other accounts, accounts that you have no control over, being insecure.

    suPHP only helps when working in a shared hosting environment. This is because it locks PHP into the account's own account. With suPHP there is no need for 777 directories or 666 files. An account that is compromised by an outdated script is still compromised, but because you are not using open files and folders, that compromised script has no write access to those files and folders and can therefore only circumvent the security of the account that was hacked.
    CanisHosting - Web Hosting plans starting at $3.95 per month

  22. #22
    Hibernator YuriKolovsky's Avatar
    Join Date
    Nov 2007
    Location
    Malaga, Spain
    Posts
    1,072
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    sparek
    If your account (or accounts that you administrate) is the only account on the server, then the server is as secure as your account is. Having open files and open directories has virtually no consequences because you do not have to worry about other accounts, accounts that you have no control over, being insecure.
    well that clears up a lot of my confusion.

    to avoid possible confusion, ill explain.
    i use both types of hosting. dedicated and shared.
    none belong to me, but i administrate them both.

    currently only the dedicated server has 777 permission level upload folders, and im relieved to know this is not a security risk, as there is only 1 user on that server.
    so that being resolved, ill move on to the shared servers im using.
    sparek
    suPHP only helps when working in a shared hosting environment. This is because it locks PHP into the account's own account. With suPHP there is no need for 777 directories or 666 files. An account that is compromised by an outdated script is still compromised, but because you are not using open files and folders, that compromised script has no write access to those files and folders and can therefore only circumvent the security of the account that was hacked.
    so to install suPHP on a shared server i just find a shared server that supports suPHP from the beginning?
    or can i install suPHP myself "in case i have SSH support" and root access?

  23. #23
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Basically, yes!

    You cannot write files to the server through HTTP - unless you have a PHP script doing the actual writing.

    They need to actually be on the server itself. So, if you use (S)FTP, SSH etc, you can then write files, because the server will allow you to.

    If you are running any insecure software on your server - software which hasn't been made with stability in mind, your server could be at risk. However, being the only user you shouldn't have any problems.

    Bottom line - people can't write to your server through HTTP.
    Jake Arkinstall
    "Sometimes you don't need to reinvent the wheel;
    Sometimes its enough to make that wheel more rounded"-Molona

  24. #24
    SitePoint Zealot
    Join Date
    Oct 2008
    Posts
    167
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by YuriKolovsky View Post
    so to install suPHP on a shared server i just find a shared server that supports suPHP from the beginning?
    or can i install suPHP myself "in case i have SSH support" and root access?
    Having account-level SSH won't help you compile suPHP. suPHP uses an Apache module to do its thing, and this requires root-level access. If you are just a regular shared hosting user at some webhosting company, then having SSH access is not going to help you to install suPHP. You will have to be on your own dedicated server with root access to install suPHP.

    If you use cPanel, suPHP is a compile option in their EasyApache compile and set up. This is the easiest way to compile suPHP. But again, this requires root access. You are not going to get root access on a shared hosting account.

    If you are just wanting to have shared hosting, then your best bet is to find a webhost that uses suPHP on their shared hosting servers. I really thought most webhosts (cPanel webhosts anyway) ran suPHP on their shared hosting servers. That may not be the case, you may want to submit a sales inquiry to prospective webhosts asking about this before signing up.
    CanisHosting - Web Hosting plans starting at $3.95 per month

  25. #25
    Hibernator YuriKolovsky's Avatar
    Join Date
    Nov 2007
    Location
    Malaga, Spain
    Posts
    1,072
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    arkinstall
    Bottom line - people can't write to your server through HTTP.
    yay!

    sparek
    If you use cPanel, suPHP is a compile option in their EasyApache compile and set up. This is the easiest way to compile suPHP. But again, this requires root access. You are not going to get root access on a shared hosting account.
    so unless i got cPanel on the shared host or preinstalled suPHP i can't have suPHP...

    now i just have to solve one problem...
    the upload folder on the shared server...


    i COULD save the images to a mysql database in blob format, but that seems like unnecessary fussle, but the only "secure" option.

    so any ideas how to upload images using php on a "shared server" without SSH or root access, without compromising security?


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •